<!DOCTYPE html><html lang="en"><head>
  <meta content="text/html; charset=utf-8" http-equiv="Content-Type">
  <meta content="width=device-width, initial-scale=1, shrink-to-fit=no" name="viewport">
  <meta content="CR" name="w3c-status">
  <title>HTML 5.1: 12. IANA considerations</title>
  <link href="styles/styles-html.css" rel="stylesheet" type="text/css">
<link rel="stylesheet" href=styles.default.css>
  <meta content="Bikeshed 1.0.0" name="generator">

  <link href="styles/W3C-CR" rel="stylesheet" type="text/css">
 </head>
 <body class="h-entry">
  <div class="head">
   <header>
    <p data-fill-with="logo"><a href="http://www.w3.org/"><img alt="W3C" height="48" src="styles/logos/W3C" width="72"></a></p>
    <h1 class="p-name no-ref allcaps" id="title">HTML 5.1</h1>
    <h2 class="no-num no-toc no-ref heading settled" id="subtitle"><span class="content">W3C Candidate Recommendation, <time class="dt-updated" datetime="2016-06-21">21 June 2016</time></span></h2>
   </header>
   
   
   
   
  </div>
  
  
  
  
  
  <nav data-fill-with="table-of-contents" id="toc"><p class="prev_next">← <a href="obsolete.html#obsolete"><span class="secno">11</span> <span class="content">Obsolete features</span></a> — <a href="index.html#contents">Table of contents</a> — <a href="fullindex.html#index"><span class="secno"></span> <span class="content">Index</span></a> →</p>
   <h2 class="no-num no-toc no-ref" id="contents">Table of Contents</h2>
   <ol class="toc" role="directory"><li>
     <a href="iana.html#iana"><span class="secno">12</span> <span class="content">IANA considerations</span></a>
     <ol class="toc">
      <li><a href="iana.html#text-html"><span class="secno">12.1</span> <span class="content"><code>text/html</code></span></a>
      </li><li><a href="iana.html#multipart-x-mixed-replace"><span class="secno">12.2</span> <span class="content"><code>multipart/x-mixed-replace</code></span></a>
      </li><li><a href="iana.html#application-xhtmlxml"><span class="secno">12.3</span> <span class="content"><code>application/xhtml+xml</code></span></a>
      </li><li><a href="iana.html#web-scheme-prefix"><span class="secno">12.4</span> <span class="content"><code>web+</code> scheme prefix</span></a>
     </li></ol>
    </li></ol>
  </nav><main><section>
    <h2 class="heading settled" data-level="12" id="iana"><span class="secno">12. </span><span class="content">IANA considerations</span><a class="self-link" href="iana.html#iana"></a></h2>
    <h3 class="heading settled" data-level="12.1" id="text-html"><span class="secno">12.1. </span><span class="content"><code>text/html</code></span><a class="self-link" href="iana.html#text-html"></a></h3>
    <p>This registration is for community review and will be submitted to the IESG for review, approval,
  and registration with IANA.</p>
    <dl>
     <dt data-md="">
      <p>Type name:</p>
     </dt><dd data-md="">
      <p>text</p>
     </dd><dt data-md="">
      <p>Subtype name:</p>
     </dt><dd data-md="">
      <p>html</p>
     </dd><dt data-md="">
      <p>Required parameters:</p>
     </dt><dd data-md="">
      <p>No required parameters</p>
     </dd><dt data-md="">
      <p>Optional parameters:</p>
     </dt><dd data-md="">
      <dl>
       <dt data-md="">
        <p><code>charset</code></p>
       </dt><dd data-md="">
        <p>The <code>charset</code> parameter may be provided to specify the <a data-link-type="dfn" href="https://www.w3.org/TR/dom/#concept-document-encoding">document’s character encoding</a>, overriding any <a data-link-type="dfn" href="document-metadata.html#character-encoding-declaration" id="ref-for-character-encoding-declaration-11">character encoding declarations</a> in the document other than a Byte Order Mark (BOM).
  The parameter’s value must be one of the <a data-link-type="dfn" href="infrastructure.html#character-encoding" id="ref-for-character-encoding-20">labels</a> of the <a data-link-type="dfn" href="infrastructure.html#character-encoding" id="ref-for-character-encoding-21">character encoding</a> used to serialize the file. <a data-link-type="biblio" href="references.html#biblio-encoding">[ENCODING]</a></p>
      </dd></dl>
     </dd><dt data-md="">
      <p>Encoding considerations:</p>
     </dt><dd data-md="">
      <p>8bit (see the section on <a data-link-type="dfn" href="document-metadata.html#character-encoding-declaration" id="ref-for-character-encoding-declaration-12">character encoding declarations</a>)</p>
     </dd><dt data-md="">
      <p>Security considerations:</p>
     </dt><dd data-md="">
      <p>Entire novels have been written about the security considerations that apply to HTML documents.
  Many are listed in this document, to which the reader is referred for more details. Some
  general concerns bear mentioning here, however:</p>
      <p>HTML is scripted language, and has a large number of APIs (some of which are described in
  this document). Script can expose the user to potential risks of information leakage,
  credential leakage, cross-site scripting attacks, cross-site request forgeries, and a host of
  other problems. While the designs in this specification are intended to be safe if implemented
  correctly, a full implementation is a massive undertaking and, as with any software, user
  agents are likely to have security bugs.</p>
      <p>Even without scripting, there are specific features in HTML which, for historical reasons,
  are required for broad compatibility with legacy content but that expose the user to
  unfortunate security problems. In particular, the <code><a data-link-type="element" href="semantics-embedded-content.html#elementdef-img" id="ref-for-elementdef-img-187">img</a></code> element can be used in
  conjunction with some other features as a way to effect a port scan from the user’s location
  on the Internet. This can expose local network topologies that the attacker would otherwise
  not be able to determine.</p>
      <p>HTML relies on a compartmentalization scheme sometimes known as the <i>same-origin policy</i>.
  An <a data-link-type="dfn" href="browsers.html#concept-cross-origin" id="ref-for-concept-cross-origin-103">origin</a> in most cases consists of all the pages served from the same
  host, on the same port, using the same protocol.</p>
      <p>It is critical, therefore, to ensure that any untrusted content that forms part of a site be
  hosted on a different <a data-link-type="dfn" href="browsers.html#concept-cross-origin" id="ref-for-concept-cross-origin-104">origin</a> than any sensitive content on that site.
  Untrusted content can easily spoof any other page on the same origin, read data from that
  origin, cause scripts in that origin to execute, submit forms to and from that origin even if
  they are protected from cross-site request forgery attacks by unique tokens, and make use of
  any third-party resources exposed to or rights granted to that origin.</p>
     </dd><dt data-md="">
      <p>Interoperability considerations:</p>
     </dt><dd data-md="">
      <p>Rules for processing both conforming and non-conforming content are defined in this
  specification.</p>
     </dd><dt data-md="">
      <p>Published specification:</p>
     </dt><dd data-md="">
      <p>This document is the relevant specification. Labeling a resource with the <a href="iana.html#text-html"><code>text/html</code></a> type asserts that the resource is an <a data-link-type="dfn" href="infrastructure.html#html-document" id="ref-for-html-document-38">HTML document</a> using <a href="syntax.html#syntax">the HTML syntax</a>.</p>
     </dd><dt data-md="">
      <p>Applications that use this media type:</p>
     </dt><dd data-md="">
      <p>Web browsers, tools for processing Web content, HTML authoring tools, search engines,
  validators.</p>
     </dd><dt data-md="">
      <p>Additional information:</p>
     </dt><dd data-md="">
      <dl>
       <dt data-md="">
        <p>Magic number(s):</p>
       </dt><dd data-md="">
        <p>No sequence of bytes can uniquely identify an HTML document. More information on detecting
  HTML documents is available in the MIME Sniffing specification. <a data-link-type="biblio" href="references.html#biblio-mimesniff">[MIMESNIFF]</a></p>
       </dd><dt data-md="">
        <p>File extension(s):</p>
       </dt><dd data-md="">
        <p>"<code>html</code>" and "<code>htm</code>" are commonly, but certainly not exclusively,
  used as the extension for HTML documents.</p>
       </dd><dt data-md="">
        <p>Macintosh file type code(s):</p>
       </dt><dd data-md="">
        <p><code>TEXT</code></p>
      </dd></dl>
     </dd><dt data-md="">
      <p>Person &amp; email address to contact for further information:</p>
     </dt><dd data-md="">
      <p>Ian Hickson &lt;ian@hixie.ch&gt;</p>
     </dd><dt data-md="">
      <p>Intended usage:</p>
     </dt><dd data-md="">
      <p>Common</p>
     </dd><dt data-md="">
      <p>Restrictions on usage:</p>
     </dt><dd data-md="">
      <p>No restrictions apply.</p>
     </dd><dt data-md="">
      <p>Author:</p>
     </dt><dd data-md="">
      <p>Ian Hickson &lt;ian@hixie.ch&gt;</p>
     </dd><dt data-md="">
      <p>Change controller:</p>
     </dt><dd data-md="">
      <p>W3C</p>
    </dd></dl>
    <p>Fragment identifiers used with <a href="iana.html#text-html"><code>text/html</code></a> resources either refer to <a data-link-type="dfn" href="browsers.html#an-indicated-part-of-the-document" id="ref-for-an-indicated-part-of-the-document-12">the indicated part of the document</a> or provide state information for in-page scripts.</p>
    <h3 class="heading settled" data-level="12.2" id="multipart-x-mixed-replace"><span class="secno">12.2. </span><span class="content"><code>multipart/x-mixed-replace</code></span><a class="self-link" href="iana.html#multipart-x-mixed-replace"></a></h3>
    <p>This registration is for community review and will be submitted to the IESG for review, approval,
  and registration with IANA.</p>
    <dl>
     <dt data-md="">
      <p>Type name:</p>
     </dt><dd data-md="">
      <p>multipart</p>
     </dd><dt data-md="">
      <p>Subtype name:</p>
     </dt><dd data-md="">
      <p>x-mixed-replace</p>
     </dd><dt data-md="">
      <p>Required parameters:</p>
     </dt><dd data-md="">
      <ul>
       <li data-md="">
        <p><code>boundary</code> (defined in RFC2046) <a data-link-type="biblio" href="references.html#biblio-rfc2046">[RFC2046]</a></p>
      </li></ul>
     </dd><dt data-md="">
      <p>Optional parameters:</p>
     </dt><dd data-md="">
      <p>No optional parameters.</p>
     </dd><dt data-md="">
      <p>Encoding considerations:</p>
     </dt><dd data-md="">
      <p>binary</p>
     </dd><dt data-md="">
      <p>Security considerations:</p>
     </dt><dd data-md="">
      <p>Subresources of a <code>multipart/x-mixed-replace</code> resource can be of any type, including
  types with non-trivial security implications such as <a href="iana.html#text-html"><code>text/html</code></a>.</p>
     </dd><dt data-md="">
      <p>Interoperability considerations:</p>
     </dt><dd data-md="">
      <p>None.</p>
     </dd><dt data-md="">
      <p>Published specification:</p>
     </dt><dd data-md="">
      <p>This specification describes processing rules for Web browsers. Conformance requirements for
  generating resources with this type are the same as for <code>multipart/mixed</code>. <a data-link-type="biblio" href="references.html#biblio-rfc2046">[RFC2046]</a></p>
     </dd><dt data-md="">
      <p>Applications that use this media type:</p>
     </dt><dd data-md="">
      <p>This type is intended to be used in resources generated by Web servers, for consumption by Web
  browsers.</p>
     </dd><dt data-md="">
      <p>Additional information:</p>
     </dt><dd data-md="">
      <dl>
       <dt data-md="">
        <p>Magic number(s):</p>
       </dt><dd data-md="">
        <p>No sequence of bytes can uniquely identify a <code>multipart/x-mixed-replace</code> resource.</p>
       </dd><dt data-md="">
        <p>File extension(s):</p>
       </dt><dd data-md="">
        <p>No specific file extensions are recommended for this type.</p>
       </dd><dt data-md="">
        <p>Macintosh file type code(s):</p>
       </dt><dd data-md="">
        <p>No specific Macintosh file type codes are recommended for this type.</p>
      </dd></dl>
     </dd><dt data-md="">
      <p>Person &amp; email address to contact for further information:</p>
     </dt><dd data-md="">
      <p>Ian Hickson &lt;ian@hixie.ch&gt;</p>
     </dd><dt data-md="">
      <p>Intended usage:</p>
     </dt><dd data-md="">
      <p>Common</p>
     </dd><dt data-md="">
      <p>Restrictions on usage:</p>
     </dt><dd data-md="">
      <p>No restrictions apply.</p>
     </dd><dt data-md="">
      <p>Author:</p>
     </dt><dd data-md="">
      <p>Ian Hickson &lt;ian@hixie.ch&gt;</p>
     </dd><dt data-md="">
      <p>Change controller:</p>
     </dt><dd data-md="">
      <p>W3C</p>
    </dd></dl>
    <p>Fragment identifiers used with <code>multipart/x-mixed-replace</code> resources apply to each
  body part as defined by the type used by that body part.</p>
    <h3 class="heading settled" data-level="12.3" id="application-xhtmlxml"><span class="secno">12.3. </span><span class="content"><code>application/xhtml+xml</code></span><a class="self-link" href="iana.html#application-xhtmlxml"></a></h3>
    <p>This registration is for community review and will be submitted to the IESG for review, approval,
  and registration with IANA.</p>
    <dl>
     <dt data-md="">
      <p>Type name:</p>
     </dt><dd data-md="">
      <p>application</p>
     </dd><dt data-md="">
      <p>Subtype name:</p>
     </dt><dd data-md="">
      <p>xhtml+xml</p>
     </dd><dt data-md="">
      <p>Required parameters:</p>
     </dt><dd data-md="">
      <p>Same as for <code>application/xml</code> <a data-link-type="biblio" href="references.html#biblio-rfc7303">[RFC7303]</a></p>
     </dd><dt data-md="">
      <p>Optional parameters:</p>
     </dt><dd data-md="">
      <p>Same as for <code>application/xml</code> <a data-link-type="biblio" href="references.html#biblio-rfc7303">[RFC7303]</a></p>
     </dd><dt data-md="">
      <p>Encoding considerations:</p>
     </dt><dd data-md="">
      <p>Same as for <code>application/xml</code> <a data-link-type="biblio" href="references.html#biblio-rfc7303">[RFC7303]</a></p>
     </dd><dt data-md="">
      <p>Security considerations:</p>
     </dt><dd data-md="">
      <p>Same as for <code>application/xml</code> <a data-link-type="biblio" href="references.html#biblio-rfc7303">[RFC7303]</a></p>
     </dd><dt data-md="">
      <p>Interoperability considerations:</p>
     </dt><dd data-md="">
      <p>Same as for <code>application/xml</code> <a data-link-type="biblio" href="references.html#biblio-rfc7303">[RFC7303]</a></p>
     </dd><dt data-md="">
      <p>Published specification:</p>
     </dt><dd data-md="">
      <p>Labeling a resource with the <code>application/xhtml+xml</code> type asserts that the resource
  is an XML document that likely has a root element from the <a data-link-type="dfn" href="infrastructure.html#html-namespace" id="ref-for-html-namespace-47">HTML namespace</a>. Thus, the
  relevant specifications are the XML specification, the Namespaces in XML specification, and
  this specification. <a data-link-type="biblio" href="references.html#biblio-xml">[XML]</a> <a data-link-type="biblio" href="references.html#biblio-xptr-xmlns">[XPTR-XMLNS]</a></p>
     </dd><dt data-md="">
      <p>Applications that use this media type:</p>
     </dt><dd data-md="">
      <p>Same as for <code>application/xml</code> <a data-link-type="biblio" href="references.html#biblio-rfc7303">[RFC7303]</a></p>
     </dd><dt data-md="">
      <p>Additional information:</p>
     </dt><dd data-md="">
      <dl>
       <dt data-md="">
        <p>Magic number(s):</p>
       </dt><dd data-md="">
        <p>Same as for <code>application/xml</code> <a data-link-type="biblio" href="references.html#biblio-rfc7303">[RFC7303]</a></p>
       </dd><dt data-md="">
        <p>File extension(s):</p>
       </dt><dd data-md="">
        <p>"<code>xhtml</code>" and "<code>xht</code>"
  are sometimes used as extensions for XML resources that have a root element from the <a data-link-type="dfn" href="infrastructure.html#html-namespace" id="ref-for-html-namespace-48">HTML namespace</a>.</p>
       </dd><dt data-md="">
        <p>Macintosh file type code(s):</p>
       </dt><dd data-md="">
        <p><code>TEXT</code></p>
      </dd></dl>
     </dd><dt data-md="">
      <p>Person &amp; email address to contact for further information:</p>
     </dt><dd data-md="">
      <p>Ian Hickson &lt;ian@hixie.ch&gt;</p>
     </dd><dt data-md="">
      <p>Intended usage:</p>
     </dt><dd data-md="">
      <p>Common</p>
     </dd><dt data-md="">
      <p>Restrictions on usage:</p>
     </dt><dd data-md="">
      <p>No restrictions apply.</p>
     </dd><dt data-md="">
      <p>Author:</p>
     </dt><dd data-md="">
      <p>Ian Hickson &lt;ian@hixie.ch&gt;</p>
     </dd><dt data-md="">
      <p>Change controller:</p>
     </dt><dd data-md="">
      <p>W3C</p>
    </dd></dl>
    <p>Fragment identifiers used with <code>application/xhtml+xml</code> resources have the same
  semantics as with any <a data-link-type="dfn" href="infrastructure.html#xml-mime-type" id="ref-for-xml-mime-type-9">XML MIME type</a>. <a data-link-type="biblio" href="references.html#biblio-rfc7303">[RFC7303]</a></p>
    <h3 class="heading settled" data-level="12.4" id="web-scheme-prefix"><span class="secno">12.4. </span><span class="content"><code>web+</code> scheme prefix</span><a class="self-link" href="iana.html#web-scheme-prefix"></a></h3>
    <p>This section describes a convention for use with the IANA URI scheme registry. It does not
  itself register a specific scheme. <a data-link-type="biblio" href="references.html#biblio-rfc7595">[RFC7595]</a></p>
    <dl>
     <dt data-md="">
      <p>Scheme name:</p>
     </dt><dd data-md="">
      <p>Schemes starting with the four characters "<code>web+</code>" followed by one or more letters
  in the range <code>a</code>-<code>z</code>.</p>
     </dd><dt data-md="">
      <p>Status:</p>
     </dt><dd data-md="">
      <p>Permanent</p>
     </dd><dt data-md="">
      <p>Scheme syntax:</p>
     </dt><dd data-md="">
      <p>Scheme-specific.</p>
     </dd><dt data-md="">
      <p>Scheme semantics:</p>
     </dt><dd data-md="">
      <p>Scheme-specific.</p>
     </dd><dt data-md="">
      <p>Encoding considerations:</p>
     </dt><dd data-md="">
      <p>All "<code>web+</code>" schemes should use UTF-8 encodings where relevant.</p>
     </dd><dt data-md="">
      <p>Applications/protocols that use this scheme name:</p>
     </dt><dd data-md="">
      <p>Scheme-specific.</p>
     </dd><dt data-md="">
      <p>Interoperability considerations:</p>
     </dt><dd data-md="">
      <p>The scheme is expected to be used in the context of Web applications.</p>
     </dd><dt data-md="">
      <p>Security considerations:</p>
     </dt><dd data-md="">
      <p>Any Web page is able to register a handler for all "<code>web+</code>" schemes. As
  such, these schemes must not be used for features intended to be core platform features (e.g.,
  network transfer protocols like HTTP or FTP). Similarly, such schemes must not store
  confidential information in their URLs, such as usernames, passwords, personal information, or
  confidential project names.</p>
     </dd><dt data-md="">
      <p>Contact:</p>
     </dt><dd data-md="">
      <p>Ian Hickson &lt;ian@hixie.ch&gt;</p>
     </dd><dt data-md="">
      <p>Change controller:</p>
     </dt><dd data-md="">
      <p>Ian Hickson &lt;ian@hixie.ch&gt;</p>
     </dd><dt data-md="">
      <p>References:</p>
     </dt><dd data-md="">
      <p><cite>Custom scheme and content handlers</cite>, HTML Living Standard: <a href="https://html.spec.whatwg.org/#custom-handlers">https://html.spec.whatwg.org/#custom-handlers</a></p>
    </dd></dl>
   </section></main>
  
<script src="js/fixup.js"></script>
  

<p class="prev_next">← <a href="obsolete.html#obsolete"><span class="secno">11</span> <span class="content">Obsolete features</span></a> — <a href="index.html#contents">Table of contents</a> — <a href="fullindex.html#index"><span class="secno"></span> <span class="content">Index</span></a> →</p></body></html>
